I paid for an SSL certificate from Namecheap, I think it was certified by ComodoSSL. It cost me 7$, it took them a week to activate and I had to do it myself from SSH while editing my site's configuration files.

Then a friend made me aware of Let's Encrypt who not only give out free SSL certificates, but they can be installed by running a single command.

I'm sure I'm missing something here, but why would I want to pay for an SSL certificate when I can get one installed easily, for free, with automatic renewal set up?

This popped up recently and is mostly the same question: security.stackexchange.com/questions/45491/… The previously validated answer recently updated still mostly holds. But in all the answers I am sad to see noone explaining differences between prices and costs and price vs value (associated guarantees and insurances - to be believed or not, etc.)
– Patrick MevzekAug 16 '19 at 17:00

I can see paying for one where there is a business case for the extended validation, etc. in order to have company name next to lock icon, etc. From a technical perspective there is no real reason to.
– ivanivanAug 17 '19 at 15:52

The whole answer can be summed up by this one sentence from marcelm’s answer, “For a certificate to be meaningful, the issuing CA must be trusted by software vendors, otherwise the certificate is useless.” All a certificate is is encryption validated by a third party. If you believe Let’s Encrypt will never screw up and will never be hacked, then you get value from that. But the reason people pay is they true other CAs more. Simple as that.
– JakeGouldAug 18 '19 at 13:04

'All a certificate is is encryption validated by a third party' is meaningless. A certificate isn't encrypted, for a start, it is signed. @JakeGould
– Marquis of LorneAug 19 '19 at 9:45

I'm surprised no one has said this yet: "to pass something off as legit when targeting enterprises who treat letsencrypt with suspicion" usually.
– Alec TealAug 19 '19 at 10:24

How does Alice trust CrediCorp?

That's the real crux here. In short, at some point CrediCorp said "Hey, we're going to make certificates". After putting in a lot of effort following a lot of rules, they managed to convince some people that CrediCorp are, indeed, trustworthy, and they will only issue certificates correctly.

In particular, they managed to convince the makers of, say, Firefox. As a result, CrediCorp gets on Firefox' A-list, and their certificates are trusted by Firefox by default. So really, Alice trusts Firefox, Firefox trusts CrediCorp, and CrediCorp trusted (after verifying) you when you claimed you controlled yourdomain.com. It's almost like a chain.

But, Firefox doesn't just trust CrediCorp to issue certificates for yourdomain.com, it trusts CrediCorp certificates for any domain. And Firefox also trusts ShabbyCorp, for any domain.

This has consequences. If someone manages to convince ShabbyCorp that they control yourdomain.com (because ShabbyCorp isn't very thorough), then they can obtain a ShabbyCorp certificate for yourdomain.com with corresponding private key. And with that certificate they could impersonate your web server. After all, they have a certificate (plus key) for yourdomain.com that is trusted by Firefox!

CrediCorp and ShabbyCorp are what's called Certificate Authorities, CAs for short. In the real world, ComodoSSL and Let's Encrypt are examples of CAs. But there's a lot more of them; as of this writing, Firefox trusts 154 CAs.

Whoa. But how does that answer my question?

I'm ehm, getting to that...

Here's the thing. The mechanics I outlined above apply to all certificates. If you have a correct, trusted certificate for your website, it'll work. There isn't anything special about Brand A certificates versus Brand B certificates; they're all subject to the same CA requirements, and the same crypto math.

And even if you like CrediCorp better — because you know, they just sound sooo much more trustworthy — using them won't really help you. If an attacker can convince ShabbyCorp to give them a certificate for your site, the attacker can use that certificate to impersonate your site, regardless of where you got yours.

As long as Firefox trusts ShabbyCorp, visitors won't see the difference. (Yes, visitors could pull up the certificate, and dig through there, see who issued it. But who does that?) As far as forging certificates is concerned, this makes the entire system as weak as the weakest of 150+ CAs. Why yes, that is scary, and it's probably the biggest criticism people have of this entire scheme. Still, it's what we're stuck with.

Point is, if you don't trust a CA to give out "good" certificates, getting your certificates elsewhere doesn't help you much.

Gotcha, everything is equally doomed. No caveats?

Weeeelllll...

Let's start with killing the point I made in the last section. Nowadays it is possible to lock your domain to just CAs of your choosing using DNS-CAA. Suppose that you do trust Comodo, and don't trust other CAs, it is possible to request all CAs other than Comodo to not issue certificates for your domain. In theory. (Because DNS-CAA is not checked by browsers, only by issuing CAs. So a compromised CA could ignore this safeguard.)

If you're willing to go through that trouble, then the question becomes: is Let's Encrypt actually less trustworthy? Or less secure? Trustworthiness is a hard one, how do you quantify that? All I can say is that in my perception Let's Encrypt is no less trustworthy than other CAs. As for the security of their validations, they are very similar to what commercial CAs do (for DV certificates anyway). See also this question.

For what it's worth: the StackExchange network, which this site is a part of, currently uses Let's Encrypt certificates. Most people would never notice this, and if they did I sincerely doubt if it would mean much to them.

For a certificate to be meaningful, the issuing CA must be trusted by software vendors, otherwise the certificate is useless. I used Firefox as an example, but really you want the CA to be trusted by at least current and somewhat older versions of Firefox, Chrome, Windows, Mac OS X, iOS, and Android. And the dozens of smaller players. CAs worth considering (that includes ComodoSSL and Let's Encrypt) are trusted by all these entities.

If a CA misbehaves, or is revealed as untrustworthy, it will get removed from the various trust stores quickly enough to ruin the day of certificate owners. Two notable examples I know of are DigiNotar and StartCom/WoSign (check out the articles, they provide interesting insights in the trust dynamics!). So if you think Let's Encrypt will screw up, or will be dropped for some other reason, not using them will prevent you from getting caught in that particular fall-out.

Certificates employ some crypto math magic; the question is whichcrypto math magic? What if it's weak magic? This is actually a real concern, and CAs have shown to drag their feet on upgrading this, too. Luckily, browser vendors have picked up the slack by setting minimums here for certificates to be accepted. For example, certificates using RSA-1024 or SHA-1 are now rejected by most browsers, so any certificate that works in practice doesn't use these deprecated crypto primitives. The upshot is, it's pretty hard for any CA (Let's Encrypt included) to disappoint on this part anymore.

Before, I more or less said that all certificates are created equal. I lied, they're not. In particular, what I discussed up until now are "Domain Validated (DV) certificates", which are what the vast majority of websites use. They provide a measure of certainty that your browser is actually talking to the domain it shows in the URL bar. There are also "Organization Validated (OV)" and "Extended Validation (EV)" certificates, which require much more elaborate checks from CAs. In particular, you should only be able to get an EV certificate for somebank.com / SomeBank Inc., if you can actually prove you are SomeBank, Inc.

EV certificates are a lot more costly to obtain (ballpark: hundreds of EUR/USD per year), and they may be rewarded with a green URL bar or padlock in the browser, maybe displaying "SomeBank, Inc." as well. Contrary to DV certificates, they also offer some idea as to who the website might actually belong to. The upside is, they may look more legit. The disappointment is, users rarely pay attention to them, so their effectiveness is limited.

An attacker with a forged DV certificate can still impersonate the site, just without the extra visual clue an EV certificate may offer, and users generally don't notice the distinction. Conversely, it is possible to obtain a misleading EV certificate to make phishing easier. As a result, both Chrome and Firefox will be dropping their visual nods to EV certificates, and some people believe they will go away entirely.

If you're a bank, you probably still want an EV certificate for now. Otherwise, not so much. But if you do need EV, Let's Encrypt isn't for you because they simply don't offer EV certificates.

Certificates are only valid for a limited time. Certificates from a typical commercial CA tend to be valid for one year, but I've seen anything from three months to three years. Let's Encrypt certificates are valid for 90 days, which is on the short side of that range, so you'll need to renew them often. For Let's Encrypt users, this is usually automated so that certificates are replaced every 60 days.

Being able to automate renewal with widely available software is actually more pleasant than the yearly Oh shit my certificate expired? What's my login at the CA? How does this work again? ritual that most small sites seem to end up with at commercial CAs.

Before, I called it scary that there are so many CAs we all have to trust. Having many CAs is also an advantage though, in the sense that removing a single one from our trust stores has a limited impact on users. In particular, expelling a single CA will only affect the certificates issued by that one CA. If everyone ends up using one single CA (which some people fear might happen with Let's Encrypt), we concentrate all of our trust there, and lose the advantages of that fragmentation.

And finally, there's other benefits a paid CA might offer, such as commercial support, or a million-dollar SSL warranty. I have little faith in both of these aspects, but they are things that Let's Encrypt does not offer.

My head hurts... I had a question, I think?

Use what you feel comfortable with! For DV certificates, there is little that actually differentiates the various CAs. I use Let's Encrypt both professionally and privately, and I'm happy with it.

There really are only four potential reasons I see to avoid Let's Encrypt:

If you need EV (or OV) certificates.

If you can't or don't want to automate certificate renewal and three months certificate validity is too short for you.

If you don't trust Let's Encrypt (but be sure to consider other measures like DNS-CAA as well, and you should probably blacklist Let's Encrypt in your browser then, too).

If you believe Let's Encrypt will be discontinued or dropped from browsers for some reason.

If none of those apply to you, feel free to not pay for your certificates.

Note that EV certificates are no longer considered useful because users ignore them; browsers, especially Chrome and on mobile devices, are removing or burying the green text and display of the name.
– simpleuserAug 17 '19 at 9:39

8

Please keep in mind that you don't ask the trustworthy third party to create a certificate for your private key, but rather for the corresponding public key. Minor nitpick, but important. Your private key never leaves your system.
– MechMK1Aug 17 '19 at 14:42

Both good points; I was trying to manage the level of detail while still being correct in a big-picture way, but I should have been clearer on these two things. I updated the answer to hopefully reflect these facts a bit better.
– marcelmAug 17 '19 at 15:18

4

To be more specific, as of Chrome v77 (currently v67), Chrome will no longer directly display EV certificates. Firefox (currently 68) plans to do the same as of v70.
– knallfroschAug 18 '19 at 13:52

2

And to add a third comment about EV certificates, Troy Hunt (re)write a good article explaining why they are really dead : troyhunt.com/…
– NeytAug 19 '19 at 13:18

Let's Encrypt is superior in many ways, including the ones that you have mentioned, such as:

It's free. Hard to get past that.

It has automatic renewal (I'm sure it's not JUST exclusive with Let's Encrypt, however)

It's pretty easy to set up.

Google and many others support it as a trusted CA, which is a huge deal when it comes to SEO and security.

However, there are a couple of cons.

The verification system that it works on to make sure that, you, well, own the site, is not compatible with some website hosts, I have had a fair amount of headache trying to get Let's Encrypt work on InfinityFree and I just accepted the fate that I couldn't do it.

You don't get any kind of insurance that says "If this breaks, we'll help you out" since it's open-source, you are on your own if Let's Encrypt doesn't work or is somehow cracked.

"The verification system that it works" It is a standard mechanism, both HTTP-01 and DNS-01 as described by IETF and CAB Forum requirements. All CAs are bound to the exact same one, for DV certificates.
– Patrick MevzekAug 16 '19 at 16:53

10

"since it's open-source" It is free (as in beer) not opensource. The API is standard (see ACME in IETF) and there are open source clients (and maybe servers).
– Patrick MevzekAug 16 '19 at 16:54

4

"It has automatic renewal" It is not Let's Encrypt by tiself. You, as the certificate owner has to contact them to ask for renewal. They do not push it to you automatically. It is a side effect of using an automated protocol such as ACME for certificate issuances.
– Patrick MevzekAug 16 '19 at 17:02

"Google supports it as a signed SSL," not just Google and you probably wanted to say that it supports it (Let's Encrypt) as a "fully trusted CA" ("signed SSL" is not meaningful). See letsencrypt.org/2018/08/06/…
– Patrick MevzekAug 16 '19 at 17:03

LetsEncrypt certificates are great. I use them myself instead of buying certificates. There are a few drawbacks:

LetsEncrypt certificates only last 3 months. Most purchased certificates are good for one or two years. That means that you absolutely need an automated process in place to renew your certificates or it is going to be too easy to forget.

LetsEncrypt only offer the lowest validation type of certificate. Domain Validation (DV) only validates that the owner of the certificate has control over the domain. Organization Validation (OV) certificates also check the documentation of the person or company requesting the certificate. Extended Validation (EV) certificates require even further checks. The better your certificate, the harder it is to be forged, and the more your site's authenticity can be trusted because of it. In practice, browsers only give a visual nod to EV certs, usually showing something in green in the address bar for them. Up to this point, most users don't know or care about the different validation levels.

Wild card certificates are a bit harder to obtain from LetsEncrypt. From other places you generally just pay more money. LetsEncrypt requires DNS validation for wildcard certificates.

Historically, security certificates have always cost something. Other companies that have offered free certificates have come and gone. I used to use StartSSL which offered a single domain free certificate until they did some shady stuff and browsers stopped trusting their certificates. LetsEncrypt has fewer limits than previous free certificate vendors and is far more automated. It also has some big supporters such as the EFF, Mozilla, Chrome, and Cisco. See https://letsencrypt.org/sponsors/ It appears to be well enough run that I expect it to be around for years.

Is there any actual functional difference between DV and OF/EV? Or is it literally just a more thorough check?
– EightAug 16 '19 at 16:09

4

"LetsEncrypt certificates only last 3 months." it is done on purpose and not seen as a drawback but a positive things in fact.
– Patrick MevzekAug 16 '19 at 16:55

1

@Eight Different checks and different end results too: a DV certificate identify an hostname, an OV/EV certificate identify an entity. Also CAB Forum requirements put different constraints, you can not have an EV for 3 years for example, nor for wildcards.
– Patrick MevzekAug 16 '19 at 16:57

5

"LetsEncrypt only offer the lowest validation type of certificate. [..] The better your certificate, the more your site can be trusted." This is hugely a matter of personal preference and not an universal truth. And it mostly does not matter because of the current Web PKI it is the security of the lowest secured CA in your trust store that defines the security of the whole ecosystem.. until everyone uses CAA+DNSSEC on their domains, and all CAs use at least DNSSEC during validation and multiple vantage points.
– Patrick MevzekAug 16 '19 at 16:59

2

"Up to this point, most users don't know or care about the different validation levels." - Which makes them pretty pointless. If users don't distinguish EV/DV certs, an attacker who obtains a valid DV cert for some domain can carry out MITM attacks on that domain, even if the original site has an EV cert.
– marcelmAug 17 '19 at 0:04

Not everything can use automated renewal

CertBot makes it easy to use for websites... but what if you're using certificates for other things?

We have an LDAP server that our website authenticates with. It runs over a secure port, but it needs a signed certificate to run. I could go with a free wildcard certificate... but that means converting the certificate to PKCS12 every 3 months (web servers use PEM) and then importing the new certificate. Oh, and our network firewall uses PKCS12, too. That's a lot of hassle for free.

If you're so inclined, you could also automate that conversion; there's already a cronjob running certbot/acmetool/ whathaveyou to renew the certificate, you could add one that invokes openssl to do the conversion.
– marcelmAug 19 '19 at 21:00

The simple answer to this is many webmasters just don't want to do these things which unnecessarily consume their precious time. In case of letsencrypt its easy to use and free but you have to remember and re-install the certificate every 3 months. If you don't or just forget to do it then you site will show 404 error to your visitors and search engines.

"you have to remember " No, you need to put in place the needed automation and let it do its job without having anything to remember. You must also do monitoring.
– Patrick MevzekAug 16 '19 at 16:56

14

"it then you site will show 404 error " Certainly not. An expired certificate will trigger a TLS handshake failure and nothing will arrive at the HTTP level. Clients will see a big warning in their browser with some text (that they will basically not understand) and a button asking them if they want to go through or not.
– Patrick MevzekAug 16 '19 at 16:56

Many hosting sites are just making letsencrypt a button push for no extra charge. You literally just click a button in the website configuration panel that says "I want it!" and everything happens automatically from that point on, including renewal.
– President James K. PolkAug 17 '19 at 17:20

1

As a professional admin for a ~100 domains, I can tell you that I very much prefer Let's Encrypt with automated renewal over renewing the certificates manually every year as I had to do before with our previous CA.
– marcelmAug 17 '19 at 18:18

Using acme.sh to install the Let’s Encrypt certificates also installs the renewal. It’s more work not to do it.
– Colin 't HartAug 18 '19 at 10:48